Deploy vaultwarden (ex bitwarden_rs) with Docker and Traefik - V2

Bitwarden_rs project renamed to vaultwarden recently. You can check the announcement here.

Its maintainer said there was no change in settings. I’ve follow his instructions to remove my old container and start a new container with the new image. Everything works fine so far.

Therefore I’ve updated my tutorial with the new image. If you are still using the old image, please follow his instructions on anouncement page to update to the new image.

I wrote a post about deploying Bitwarden a few months back. At the time, global configuration has not been introduced to Traefik 2. I’ve also changed the way of deploying services with Traefik since Traefik 2.2. I guess it is time to revisit my previous post and write an updated version to match my current set up.

As always,let me post my docker-compose.yml file first.

Please note, my docker-compose.yml is meant to be used with my Traefik configurations. It might not work with your set ups. You can find my Traefik configuration at this link

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
version: '3.7'

services:
bitwarden:
image: vaultwarden/server:latest
container_name: bitwarden
restart: always
volumes:
- ./bw-data:/data
environment:
- ADMIN_TOKEN=
- WEBSOCKET_ENABLED=true
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
# Entry Point for https
- "traefik.http.routers.bitwarden-secure.entrypoints=websecure"
- "traefik.http.routers.bitwarden-secure.rule=Host(`bw.yourdomain`)"
- "traefik.http.routers.bitwarden-secure.service=bitwarden-service"
- "traefik.http.services.bitwarden-service.loadbalancer.server.port=80"
# websocket
- "traefik.http.routers.bitwarden-ws.entrypoints=websecure"
- "traefik.http.routers.bitwarden-ws.rule=Host(`bw.yourdomain`) && Path(`/notifications/hub`)"
- "traefik.http.middlewares.bitwarden-ws=bw-stripPrefix@file"
- "traefik.http.routers.bitwarden-ws.service=bitwarden-websocket"
- "traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012"

networks:
proxy:
external: true

As you can see I’ve added a bw-stripPrefix middleware for Websocket. This middle ware will be added in dynamic.yml as below:

1
2
3
4
5
6
7
8
9
10
11
12
# Dynamic configuration
...
stsSeconds: 31536000

bw-stripPrefix:
stripPrefix:
prefixes:
- "/notifications/hub"
forceSlash: false

user-auth:
...

There are a lot of settings you can use on official wiki. In my set up, I’ve set WebSocket, Admin Page, Disable registration and Disable invitations. You can add/remove features to suit your needs. I want to mention Admin Page specially because a lot of setting like SMTP can be set on Admin page. You don’t have to usea config.json file or a lot of environment variables on your docker-compose.yml file.

Admin Page is relatively easy to set up. All you need is a ADMIN_TOKEN environment variable. On the official document, they provided command openssl rand -base64 48 to generate a 48 bit random token with OpenSSL.

I will update this post with a video later. If you have any questions, please feel free to contact me.

Thank you for reading, see you next time.